CVE-2025-68157
📋 TL;DR
This CVE describes a security bypass vulnerability in Webpack's HTTP(S) resolver when the experiments.buildHttp feature is enabled. It allows attackers to bypass URL allow-list restrictions by exploiting HTTP redirects, potentially leading to server-side request forgery (SSRF) and inclusion of untrusted content in build outputs. Organizations using Webpack versions 5.49.0 to 5.103.0 with experiments.buildHttp enabled are affected.
💻 Affected Systems
- webpack
📦 What is this software?
Webpack by Webpack.js
⚠️ Risk & Real-World Impact
Worst Case
Attackers can force the build system to make requests to internal-only endpoints (SSRF), potentially accessing sensitive internal services, and inject malicious code into production bundles that gets deployed to end users.
Likely Case
Build-time SSRF allowing attackers to probe internal networks and include untrusted content in build outputs, potentially leading to supply chain attacks or data exfiltration.
If Mitigated
Limited impact if experiments.buildHttp is disabled or if network access from build machines is properly restricted.
🎯 Exploit Status
Exploitation requires control over HTTP responses from allowed URLs to redirect to disallowed targets. No authentication required if attacker can influence the build process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.104.0
Vendor Advisory: https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758
Restart Required: No
Instructions:
1. Update webpack to version 5.104.0 or later using npm: npm update webpack@^5.104.0 2. Verify the update with: npm list webpack 3. Rebuild your project to ensure the fix is applied.
🔧 Temporary Workarounds
Disable experiments.buildHttp
allDisable the vulnerable experimental feature in webpack configuration
Remove or set experiments.buildHttp to false in webpack.config.js
Restrict network access
allLimit build machine network access to prevent SSRF
Configure firewall rules to restrict outbound HTTP/HTTPS from build machines
🧯 If You Can't Patch
- Disable experiments.buildHttp feature in webpack configuration
- Implement strict network segmentation to isolate build machines from internal services
🔍 How to Verify
Check if Vulnerable:
Check webpack version and configuration: 1. Run: npm list webpack 2. Check if version is between 5.49.0 and 5.103.0 3. Check webpack.config.js for experiments.buildHttp: trueCheck Version:
npm list webpack | grep webpackVerify Fix Applied:
1. Verify webpack version is 5.104.0 or higher: npm list webpack 2. Test with a controlled redirect scenario to ensure allow-list enforcement works after redirects📡 Detection & Monitoring
Log Indicators:
- Unexpected HTTP redirects during build process
- Build requests to unexpected domains or internal IPs
- Failed allow-list validation messages
Network Indicators:
- Build machine making HTTP requests to internal-only endpoints
- Unexpected outbound connections from build systems during compilation
SIEM Query:
source="webpack-build-logs" AND (http_redirect OR allow_list_failure OR unexpected_domain)